07-06-2010 06:43 AM - edited 03-11-2019 11:08 AM
we have a ASA5500 with 3 interfaces : outside, dmz, inside
we have a number of static nats translating a given public IP to a dmz servers and that all works fine. However for testing purposes, we need to be able to access the public IP from the inside interface.
I tried the following but that did not work:
static (inside,inside) <public_IP> <dmz_IP> netmask 255.255.255.255
what translation is missing to allow users from the inside to access the public ip address?
07-06-2010 06:53 AM
I would start with
static (dmz,inside)
enable logging on informational level from and test.
After test do "show logg | i IP.address"
Marcin
07-06-2010 07:09 AM
Hello,
As Marcin said, you need to configure the static with "static (DMZ,inside)
static (inside,DMZ)
or
access-list nonat permit ip
nat (inside) 0 access-list nonat
or
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
This will ensure that all traffic from inside (higher security) is going to DMZ with proper NAT translations.
Hope this helps.
07-06-2010 07:32 AM
So which one is it?
Marcin says:
static (dmz,inside)
Nagaraja says:
static (inside,DMZ)
and what is the logic behind this?
07-06-2010 07:34 AM
We're not contadicting each other. :-)
You need to make sure that servers from DMZ to inside are translated (what I was going for).
But at the same time, it's best to NAT inside users to somethin on DMZ. Be it identity or PAT.
07-06-2010 08:11 AM
You need both of them for proper communication between the interfaces i.e. inside and DMZ. As Marcin said, one will ensure that when your inside hosts try to access the public IP of the DMZ server, it gets translated to corresponding DMZ IP. Other one is needed to satisfy the firewall requirement i.e. NAT rules are needed when you go from higher security interface (inside) to a lower security interface (DMZ).
Hope this helps.
07-06-2010 08:43 AM
I have added the following 2 lines to the firewall:
static (dmz,inside)
The users on the inside are 172.0.0.0\8
static (inside,dmz) 172.0.0.0 172.0.0.0 netmask 255.0.0.0
This is the translation from the outside...it was there before
static (dmz,outside)
I am still unable to access the public address from the inside or from the dmz
07-06-2010 08:47 AM
What went wrong? Can you please check the logs (informational level)?
Marcin
07-06-2010 08:49 AM
Do you have any nonat or identity NAT configurations from DMZ to inside? It would look like:
nat (DMZ) 0 access-list
or
static (DMZ,inside) 192.168.1.x 192.168.1.x netmask 255.255.255.255
If you have these, that could be the reason you are not able to access. Please modify the configuration so that there is no identity nat from DMZ to inside.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide